Run Unleashed on the Ruckus R730
The R730 has similar hardware to the R850, so can be converted to run Unleashed.
NOTE
The steps below assume the AP is plugged directly into your computer.
If your AP is plugged into a switch and is picking up an IP address via DHCP then you will have to substitute it's assigned IP address anywhere the text 192.168.0.1
appears below.
Download and extract vulnerable R730 firmware
Download the ZoneDirector 10.1.2.0.120 Software Release, which contains a vulnerable R730 AP image.
Your internet browser can extract the R730 AP Image from the ZoneDirector Software Image.
Manual Extraction Steps
Decrypt the image, then use an archive tool like 7-Zip to extract the firmwares/ap-patch/patch000/ap-arm-11ax/10.1.2.0.120/rcks_fw.bl7.main
AP image file.
Install the vulnerable firmware
Login to the AP's web administration interface.
TIP
You may need to do a factory reset (by sticking a pin in the reset hole for a few seconds) if you don't know the username & password.
The default username is "super", password is "sp-admin".
TIP
Your browser will show a security warning. This is normal and you should choose Advanced
and then click through to the website by pressing Accept the Risk and Continue
or Continue to 192.168.0.1 (unsafe)
(the exact wording will vary depending on your browser).
Upgrade the firmware
Navigate to Maintenance
> Upgrade
.
Choose Upgrade Method: Local
and press the Local File Name: Browse...
button and select the rcks_fw.bl7.main
firmware file you extracted above.
Choose Perform Upgrade
.
TIP
The upgrade will take a few minutes.
SSH to the AP
$ ssh -oHostKeyAlgorithms=+ssh-rsa 192.168.0.1
Perform command injection
rkscli: Ruckus
Now type ";/bin/sh;"
and hit enter (you won't be able to see what you're typing)
grrrr
TIP
Instead of grrrr
, another dog noise could be printed to the screen.
Escape to shell
rkscli: !v54!
What's your chow:
Now hit enter
BusyBox v1.15.2 (2015-07-21 22:07:19 PDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
You now have a root shell.
Store R850 model information
# bsp set name R850
# bsp set model R850
# bsp commit
You will see something like this:-
Saving flash .....
bdSave: sizeof(bd)=0x7c, sizeof(rbd)=0xd0
caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
updating flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
updating flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
_erase_flash: offset=0x0 count=1
Erase Total 1 Units
Performing Flash Erase of length 262144 at offset 0x0 done
caching flash data from /dev/mtd3 [ 0x00000000 - 0x00010000 ]
verifying flash data [0x00000000 - 0x0000007c] from [0x7f8a7ac8 - 0x7f8a7b44]
verifying flash data [0x00008000 - 0x000080d0] from [0x7f8a7b44 - 0x7f8a7c14]
... Changes saved to flash
You should now immediately install Unleashed.
WARNING
Especially do not factory reset the AP until you've installed the Unleashed firmware.
Install Unleashed
Login to the AP's web administration interface.
TIP
Your browser will show a security warning. This is normal and you should choose Advanced
and then click through to the website by pressing Accept the Risk and Continue
or Continue to 192.168.0.1 (unsafe)
(the exact wording will vary depending on your browser).
Upgrade to Ruckus Unleashed
I assume you have downloaded the latest Ruckus R850 Unleashed firmware.
Navigate to Maintenance
> Upgrade
.
Choose Upgrade Method: Local
and press the Local File Name: Browse...
button and select your Ruckus R850 Unleashed firmware file.
Choose Perform Upgrade
.
TIP
The upgrade will take several minutes. You probably won't be able to reconnect for a few minutes after the web administration interface says the upgrade is finished.
Notes
The R730 reportedly has issues with 160Mhz wide channels, so it's best to limit channel width to 80Mhz or less.
If your AP is broadcasting an extra
Technical.Support-xxxx
SSID after you've finished setting up Unleashed, then you can try enabling Unleashed Multi-Site Manager (Admin & Services
>Administration
>Network Management
>Unleashed Multi-Site Manager
) with an unreachable IP, then immediately disabling it again.